AWS ECS task definitions should not share the host's process namespace

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This assessment verifies whether Amazon ECS task definitions are set up to share a host’s process namespace with its containers. The assessment will not pass if the task definition allows the host’s process namespace to be shared with the containers it runs. This evaluation is based on the most recent active revision of an Amazon ECS task definition.

A Process ID (PID) namespace serves to isolate processes from one another, preventing system processes from being visible and allowing PIDs, including PID 1, to be reused. If the host’s PID namespace is shared with containers, it would grant containers visibility into all processes on the host system. This compromises the intended isolation between the host and its containers at the process level. Such a setup could potentially result in unauthorized access to host processes, enabling unauthorized manipulation or termination. Therefore, it is recommended that customers refrain from sharing the host’s process namespace with containers.

Remediation

From the console

To configure the pidMode on a task definition, see Task definition parameters in the Amazon Elastic Container Service Developer Guide.

PREVIEWING: rtrieu/product-analytics-ui-changes